Connect with us

Hi, what are you looking for?


Application Security

NSA Issues Guidance on Incorporating SBOMs to Improve Cybersecurity

NSA has published guidance to help organizations incorporate SBOM to mitigate supply chain risks.

The National Security Agency (NSA) has published new guidance to help organizations incorporate software bills of materials (SBOMs) and mitigate supply chain risks.

In May 2021, the White House issued a cybersecurity executive order, mandating the use of SBOMs for transparency and cyber risk mitigation, as they would provide a complete picture of software components, including open source software, and their relationships.

The NSA guidance (PDF) follows previous recommendations that the US government has provided on SBOMs and is meant to help organizations improve SBOM management by following three steps: cyber risk analysis, vulnerability analysis, and incident response.

The agency recommends that software suppliers mature their SBOM exchange practices, that both private and government organizations expand their SBOM research to help standardize solutions, and that software developers take ownership of customer security outcomes.

“SBOMs and SBOM management tools play a part in enforcing the requirement to make software secure by design as they provide a mechanism to determine software component risk and establish a level of confidence in the software’s freedom from vulnerabilities,” the NSA notes.

Software consumers, the NSA says, should leverage available government resources to ensure they acquire secure software.

National Security System (NSS) owners are advised to develop and require software component information containing details on each software component, identification of all software dependencies, a container manifest for software with container components, digital signatures or authentication for component validation, SBOMs generated using source code for NSS-related software specifically developed under contract, the completeness of SBOMs for all software, limited rights to reverse-engineer software for validation purposes, and contract metrics for tracking and assessment.

NSA’s guidance also recommends a series of best practices for NSS owners and shares details on the functionality that organizations should look for when considering SBOM management tools.

Advertisement. Scroll to continue reading.

“As software bills of materials become more integral to cybersecurity supply chain risk management standards, best practices will become critical to ensuring efficiency and reliability of the software supply chain. These guidelines provide the information [network owners and operators] need to select the appropriate tools to reduce an organization’s overall risk exposure,” NSA cybersecurity director Rob Joyce said.

Related: SBOMs – Software Supply Chain Security’s Future or Fantasy?

Related: The SBOM Bombshell

Related: New SBOM Hub Helps All Stakeholders in Software Distribution Chain

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.